The Microsoft Browser Vulnerability Research team is currently testing a Super Duper Secure Mode for the Edge web browser. That’s right. This mode is all about securing Edge ignoring any negative impacting performance. Although this mode is extremely experimental as of now, it will prevent attackers to try to exploit bugs in Microsoft’s browser by turning off certain optimizations. But the company says that the mode will most likely be renamed that sounds more professional at the launch. At the core of the experiment is the “Just-In-Time-Compilation” (JIT) engine. This technology can help speed up web browsing but may hinder system security. The Super Duper Secure Mode works by removing Just-In-Time compilation from the V8 processing pipeline, which ultimately decreases the attack surface that can be used to hack into Edge’s systems.
Bleeping Computer explains it seamlessly. Also, along with disabling the JIT, SDSM enables “new security mitigations” to make Edge a more secure browser. As Microsoft says, “Performance and complexity often come at a cost, and often we bear this cost in the form of security bugs and subsequent patches. Looking at CVE (Common Vulnerabilities and Exposures) data after 2019 shows that roughly 45% of CVEs issued for V8 were related to the JIT engine.” This explains the need for the Super Duper Secure Mode. I, it will effectively reduce the vulnerability potential of the browser. Microsoft says that this can “remove roughly half of the V8 bugs that must be fixed.” JavaScript has an essential role in any browser story.
“JITs exist for a reason, and that is to optimize JavaScript performance,” directly reported by the Microsoft browser in their August 4 blog post about SDSM. But up until now, the researchers claim that they haven’t seen much of a change in performance with JIT disabled as most of their tests remained untouched. Although for obvious reasons, there are quite a few people concerned that turning off technology meant to make a huge part of modern websites run faster could hurt performance at another level. The same blog post also states that disabling JIT can lead to significantly lower JavaScript benchmark scores, but the team also says that, in the real world, people couldn’t spot the change. But the Microsoft team noted that it is in fact looking for a solution to make the mode smart by having it turn protections on and off based on the risk a website may pose, or how resource-intensive it may be.
The experimental Super Duper Secure Mode seems to be only in its early stages, the team though, does want to try things that it hasn’t enabled yet. Moreover, the mode doesn’t work on all the platforms that Edge supports, and the team says there are “quite a few technical challenges to overcome” before the official launch. But the progress is really exciting, and since Edge is now based on Chromium, it uses the same JavaScript engine as Chrome. So the speculations are that the Super Duper Secure Mode may end up being adopted by other browsers if it wins success over Edge. “The VR is experimenting with a new feature that challenges some conventional assumptions held by many in the browser community,” Microsoft’s Johnathan Norman explains.
“Our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers. Mitigations have a long history of being bypassed, so we are seeking feedback from the community to build something of lasting value.” The team though, does admit that the name Super Duper Secure Mode is “slightly provocative” but only because they wanted to work with fun and also because it’s too early for the christening. Although don’t raise your hopes for the name, lol. In the experiments, the team of Microsoft did hundreds of performance tests, disabling and enabling JIT. “Anecdotally, we find that users with JIT disabled rarely notice a difference in their daily browsing,” Microsoft clarifies. Rigorous testing shows performance variance, but the impact of those changes on browsing is still not discovered fully.
Microsoft also notes that the value of performance gains brought by JIT depends on the kind of use for the web. For instance, a user reading a blog might not even notice a minor drop in performance, but a user gaming online will. But as Norman ensures us, most Chromium-based web browser exploits target Google’s V8 JavaScript rendering engine because “JavaScript engine bugs … provide powerful exploit primitives, there is a steady stream of bugs, and exploitation of these bugs often follows a straightforward template.” This is also applicable for non-Chromium browsers. He also tells us that JavaScript engines pose a great challenge for browsers.
To solve this issue, Edge’s proposed Super Duper Secure Mode would disable the JavaScript engine’s Just-In-Time (JIT) compilation technology, which speeds up JavaScript workloads dramatically and makes this scripting language roughly as performant as native C++ code, the reason being that a lot of complexity is needed to obtain this level of performance, which provides hackers with lots of places to pry for vulnerabilities. “What if we simply disabled the JIT?” Jonathan asks a rhetoric question and goes on to say, “This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed. For users, this means less frequent security updates and fewer emergency patches required.” This may sound incredible but it will also result in drastically slowing Microsoft Edge.
But that is highly debatable, as Norman says that users with JIT disabled rarely notice a difference in their daily browsing in testing. The performance degradation across multiple tasks ranged from no change at all to 16.9 percent, gaining an average 11 percent increase in power consumption and a 2.3 percent increase in memory usage. But a notable change of range as high as 58 percent may occur in the infamous Speedometer 2.0 which no one is talking about. “However, often users do not notice this impact because this benchmark tells only part of a larger performance story,” Jonathan goes on to explain. And that is indeed true for all benchmarks. Furthermore, the Microsoft team plans to scrutinize its Super Duper Secure Mode experiment in the coming months and then determine the fate of the feature: the bin or Edge.
He also admits to thinking of changing his team’s “tongue-in-cheek” name for a more professional one maybe. Microsoft users will be very upset if they find out that they’ve been exploited by the Super Duper Secure Mode, so the Microsoft team has to ensure preventing incurring any extra liability. But if successful, this mode will bring a welcome whimsy to the browser alongside the additional protection. And here’s information that may intrigue you: if you want to test the Super Duper Secure Mode yourself, all you need to do is enable it in edge://flags with Edge Canary, Dev, and Bet. But please send Microsoft your feedback using the Feedback menu in Edge.